Re: Change authentication error message (patch) - Mailing list pgsql-hackers

From Markus Wanner
Subject Re: Change authentication error message (patch)
Date
Msg-id 51C2E418.8030109@bluegap.ch
Whole thread Raw
In response to Re: Change authentication error message (patch)  (Marko Tiikkaja <marko@joh.to>)
List pgsql-hackers
On 06/20/2013 12:27 PM, Marko Tiikkaja wrote:
> My understanding is that the attacker would already have that
> information since the server would have sent an
> AuthenticationMD5Password message to get to the error in the first
> place.  And we still reveal the authentication method to the frontend in
> all other cases ("peer authentication failed", for example).

Oh, right, I wasn't aware of that. Never mind, then.

+1 for keeping it mention "password authentication" explicitly.

However, thinking about this a bit more: Other authentication methods
may also provide password (or even account) expiration times. And may
fail to authenticate a user for entirely different reasons.

Given that, I wonder if "password expired" is such a special case worth
mentioning in case of the "password auth" method. If we go down that
path, don't we also have to include "auth server unreachable" as a
possible cause for authentication failure for methods that use an
external server?

Regards

Markus Wanner



pgsql-hackers by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: Config reload/restart preview
Next
From: Pavan Deolasee
Date:
Subject: Re: Config reload/restart preview